Support » Plugin: Jeepers Peepers: WP Syslog » Looks great so far

  • Would be neat to have some recommended additional OSSEC rules if possible – right now I’m not doing anything special but I suppose some additional rules may be useful. Thanks for submitting this though!

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Blobfolio

    (@blobfolio)

    I’m glad you’re finding it helpful, @robkumd!

    First things first, life will be easier with a decoder set up. I wish OSSEC had better RegExp support, but until then, this’ll do:

    <!-- local_decoders.xml -->
    <decoder name="wordpressaudit">
    	<prematch>^WordPressAudit \d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d </prematch>
    	<regex offset="after_prematch">^[(\S+)] \S+ (\S+) </regex>
    	<order>action, srcip</order>
    </decoder>

    And here are some basic rules to help get you started, with a couple cautions:

    1. OSSEC data can add up really quickly. If any of these events cover rules you don’t care about, I recommend you just delete them.
    2. Depending on what your active response set up is like, you’ll probably want to bump some of the levels up or down. (It’d be unfortunate if someone got banned every time they wrote a post. Haha.)
    <!-- local_rules.xml -->
    <group name="wordpressaudit,">
    	<rule id="96000" level="0">
    		<decoded_as>wordpressaudit</decoded_as>
    		<description>WordPress messages grouped.</description>
    	</rule>
    
    	<rule id="96001" level="5">
    		<if_sid>96000</if_sid>
    		<match>User authentication failed</match>
    		<description>WordPress authentication failed.</description>
    		<group>authentication_failed,</group>
    	</rule>
    
    	<rule id="96002" level="3">
    		<if_sid>96000</if_sid>
    		<match>User authentication succeeded</match>
    		<description>WordPress authentication succeeded.</description>
    		<group>authentication_success,</group>
    	</rule>
    
    	<rule id="96004" level="3">
    		<if_sid>96000</if_sid>
    		<match>Deactivated plugin</match>
    		<description>WordPress plugin deactivated.</description>
    	</rule>
    
    	<rule id="96005" level="3">
    		<if_sid>96000</if_sid>
    		<match>Activated plugin</match>
    		<description>WordPress plugin activated.</description>
    	</rule>
    
    	<rule id="96010" level="2">
    		<if_sid>96000</if_sid>
    		<match>Published post</match>
    		<description>WordPress post published.</description>
    	</rule>
    
    	<rule id="96011" level="2">
    		<if_sid>96000</if_sid>
    		<match>Deleted post</match>
    		<description>WordPress post deleted.</description>
    	</rule>
    
    	<rule id="96012" level="3">
    		<if_sid>96000</if_sid>
    		<match>GET Apocalypse Meow</match>
    		<description>WordPress login denied by Apocalypse Meow.</description>
    	</rule>
    
    	<rule id="96013" level="5">
    		<if_sid>96000</if_sid>
    		<match>POST Apocalypse Meow</match>
    		<description>WordPress login denied by Apocalypse Meow.</description>
    	</rule>
    
    	<rule id="96014" level="5">
    		<if_sid>96000</if_sid>
    		<match>User (whitelist) authentication failed</match>
    		<description>WordPress (whitelist) authentication failed.</description>
    		<group>authentication_failed,</group>
    	</rule>
    
    	<rule id="96051" level="10" frequency="15" timeframe="900">
    		<if_matched_sid>96001</if_matched_sid>
    		<same_source_ip />
    		<description>Multiple WordPress authentication failures.</description>
    		<group>authentication_failures,</group>
    	</rule>
    
    	<rule id="96052" level="10" frequency="5" timeframe="600">
    		<if_matched_sid>96013</if_matched_sid>
    		<same_source_ip />
    		<description>Multiple WordPress logins attempted without form.</description>
    		<group>authentication_failures,</group>
    		<options>no_email_alert</options>
    	</rule>
    </group>

    hero!! thanks for this. really appreciate it. will integrate into my stack this weekend and fire it up!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Looks great so far’ is closed to new replies.